Stimulus Bill HIPAA Amendments Require Employers, Health Plans & Business Associate To Act

Cynthia Stamer
February 27, 2009 — 2,310 views  
Become a Bronze Member for monthly eNewsletter, articles, and white papers.

A recently announced CVS settlement agreement and newly enacted amendments to the Privacy & Security Standards of the Health Insurance Portability & Accountability Act ("HIPAA") require that health care providers, health plans, health care clearinghouses and their business associates review and tighten their practices governing the use, protection and disclosure of protected health information ("PHI") to guard against growing liability exposures under HIPAA and other federal and state laws. Business associates that have not already done so also must appoint privacy officers and adopt and implement privacy and data security policies and procedures fully compliant with HIPAA and other applicable federal and state rules.

On February 18, 2009, the U.S. Department of Health and Human Services ("HHS") Office of Civil Rights ("OCR") and the Federal Trade Commission ("FTC") jointly announced that CVS Pharmacy, Inc., the nation's largest retail pharmacy chain, will pay the U.S. government a $2.25 million settlement to resolve charges it violated HIPAA and other laws by disposing of pill bottles, prescriptions and other non-electronic records in dumpsters under the second Resolution Agreement announced by OCR.  Under the Resolution Agreement, CVS also must take corrective action to ensure that it does not violate the HIPAA privacy rights of its millions of patients when disposing of non-electronic patient information such as identifying information on pill bottle labels.   CVS also will conduct employee training on HIPAA compliance and impose sanctions for any noncompliance.  In a coordinated action, CVS Caremark Corp., the parent company of the pharmacy chain, also signed a consent order with the FTC to settle potential violations of the FTC Act.  The investigation resulting in the settlement marks the first instance where the OCR formally coordinated on investigation and resolution of a case with the FTC.

The CVS Resolution Agreement Announcement was released just one day after President Obama signed into law amendments to the HIPAA Privacy & Security Rules enacted as part of the American Recovery and Reinvestment Act of 2009 (the "Stimulus Bill").  Among other things, the Stimulus Bill:

  • Added business associates to the list of parties required to comply with and which are subject to civil and criminal liability for violation of HIPAA's Privacy & Security Standards, so that HIPAA's requirements now apply to health care providers, health plans, health care clearinghouses and their business associates ("covered entities");
  • To prohibit the sale of PHI without prior written consent from the subject of the information and to further restrict and regulate certain uses and disclosures of PHI in certain other respects;
  • To require covered entities provide certain notifications when a data breach involving PHI occurs to both OCR and the individuals whose information was breached;
  • To allow state Attorneys' General to sue for civil damages when a covered entity's breach of HIPAA's Privacy or Security Standards damages citizens in their state; and
  • To increase and modify HIPAA's criminal and civil sanctions and to comply with other tightened HIPAA obligations.

The CVS Resolution Agreement and the Stimulus Bill amendments reflect the growing obligations and enforcement risks that covered entities face when PHI is breached or HIPAA's requirements otherwise are not met.   They follow the July 2008 announcement by OCR of its first Resolution Agreement with Seattle-based Providence Health & Services ("Providence") under which Providence agreed to pay a $100,000 settlement and implement a detailed Corrective Action Plan for appropriately safeguarding electronic PHI against theft or loss after certain unencrypted electronic PHI was lost or stolen.   Covered entities must update policies and practices to avoid these growing liabilities.

Cynthia Stamer


Cynthia Marcotte Stamer, is nationally and internationally recognized for her work assisting businesses, governments, and other entities to develop creative strategies for dealing with employee benefit and related human resources, insurance, health care and finance concerns. Ms. Stamer helps businesses design, administer and defend cost-effective employee benefit other human resources programs, policies and procedures to meet their budgetary and other business objectives.